PRIVACY Forum Digest Saturday, 27 June 1998 Volume 07 : Issue 11
Moderated by Lauren Weinstein (lauren@vortex.com)
Vortex Technology, Woodland Hills, CA, U.S.A.
http://www.vortex.com
===== PRIVACY FORUM =====
-------------------------------------------------------------------
The PRIVACY Forum is supported in part by
the ACM (Association for Computing Machinery)
Committee on Computers and Public Policy,
"internetMCI" (a service of the Data Services Division
of MCI Telecommunications Corporation),
Cisco Systems, Inc., and Telos Systems.
- - -
These organizations do not operate or control the
PRIVACY Forum in any manner, and their support does not
imply agreement on their part with nor responsibility
for any materials posted on or related to the PRIVACY Forum.
-------------------------------------------------------------------
********************************************
* PRIVACY Forum Six Year Anniversary Issue *
********************************************
CONTENTS
Update on DoubleClick, Inc.
(Lauren Weinstein; PRIVACY Forum Moderator)
NZ to introduce Photo-ID Drivers' Licenses
(Patrick Dunford)
FAA to remove airmen's mailing addresses from public databases
(William A. Lynn III)
Financial privacy (Phil Agre)
Inmates process vehicle records (Carl Jester)
Information Privacy in Cyberspace Transactions (Jerry Kang)
New Guide on Children's Online Privacy (Beth Givens)
Local police conduct drug sweep of college dorm (John Meola)
Health Information Privacy Alert - May digest (Dennis Melamed)
ACLU Condemns Mandatory Blocking Software in Public Libraries
(Monty Solomon)
ACLU Says New Medical Privacy Legislation Falls Short (Monty Solomon)
NSA Declassifies Algos (John Young)
*** Please include a RELEVANT "Subject:" line on all submissions! ***
*** Submissions without them may be ignored! ***
-----------------------------------------------------------------------------
The Internet PRIVACY Forum is a moderated digest for the discussion and
analysis of issues relating to the general topic of privacy (both personal
and collective) in the "information age" of the 1990's and beyond. The
moderator will choose submissions for inclusion based on their relevance and
content. Submissions will not be routinely acknowledged.
All submissions should be addressed to "privacy@vortex.com" and must have
RELEVANT "Subject:" lines; submissions without appropriate and relevant
"Subject:" lines may be ignored. Excessive "signatures" on submissions are
subject to editing. Subscriptions are by an automatic "listserv" system; for
subscription information, please send a message consisting of the word
"help" (quotes not included) in the BODY of a message to:
"privacy-request@vortex.com". Mailing list problems should be reported to
"list-maint@vortex.com".
All messages included in this digest represent the views of their
individual authors and all messages submitted must be appropriate to be
distributable without limitations.
The PRIVACY Forum archive, including all issues of the digest and all
related materials, is available via anonymous FTP from site "ftp ftp.vortex.com",
in the "/privacy" directory. Use the FTP login "ftp" or "anonymous", and
enter your e-mail address as the password. The typical "README" and "INDEX"
files are available to guide you through the files available for FTP
access. PRIVACY Forum materials may also be obtained automatically via
e-mail through the listserv system. Please follow the instructions above
for getting the listserv "help" information, which includes details
regarding the "index" and "get" listserv commands, which are used to access
the PRIVACY Forum archive.
All PRIVACY Forum materials are available through the Internet Gopher system
via a gopher server on site "gopher.vortex.com/".
Access to PRIVACY Forum materials is also available through the Internet
World Wide Web (WWW) via the Vortex Technology WWW server at the URL:
"http://www.vortex.com"; full keyword searching of all PRIVACY Forum files
is available via WWW access.
-----------------------------------------------------------------------------
VOLUME 07, ISSUE 11
Quote for the day:
"I'm getting frightfully healthy you know..."
-- Sir Harry Percival (Reginald Denny)
"Cat Ballou" (Columbia; 1965)
----------------------------------------------------------------------
Date: Sat, 27 Jun 98 10:24 PDT
From: lauren@vortex.com (Lauren Weinstein; PRIVACY Forum Moderator)
Subject: Update on DoubleClick, Inc.
Greetings. Regular readers of this digest will recall my recent discussion
of banner ad practices ("Sex, Crime, and Banner Ads" in Vol 07 #10), and my
attempts to reach DoubleClick, Inc. to discuss their particular practices
regarding sexually-oriented advertising, ads for online gambling, and
related privacy concerns. At that time, the spokeswoman I reached told me
they didn't wish to discuss these issues with me.
Subsequently to the publication of my article here in the digest, there was
a significant change in their attitude. Within 48 hours I received e-mail
from DoubleClick's CEO, and shortly thereafter I received separate calls
from the original spokeswoman and Kevin Ryan, DoubleClick's president.
All were very cordial and expressed a willingness to chat about the issues.
I much appreciated this sudden turn of events.
I had a long, friendly, and detailed conversation with Mr. Ryan.
Unfortunately, my sense at the end of the conversation was that my original
analysis was correct, and that we're dealing with wildly divergent world
views when it comes to responsibility vs. what I would personally term
"exploitation."
My interpretation of DoubleClick's view (as expressed to me by Mr. Ryan) is
that they are willing to carry ads for essentially anything that "is
legal." They say that they attempt to avoid their keyword sales from
creating inappropriate responses, and claimed that the case I pointed out
where religious searches could yield adult-oriented ads was an aberration
that would be fixed (as of today, as I write this some weeks later, it
apparently has not been "repaired" and continues as before...)
They also say that each of their web site clients must specifically approve
the classes of ads that they will carry, so that, for example, adult ads
wouldn't appear unless the client said they were willing to accept them.
Mr. Ryan insisted that Digital Equipment Corporation's AltaVista site must
have approved the provision of adult ads in response to keyword searches,
otherwise they wouldn't be appearing.
On the overall subject of their ad content (adult, online gambling, etc.),
they apparently do not consider themselves to be like ordinary ad agencies
(which I pointed out often exercise considerable control over the types of
products and services with which they will deal). Mr. Ryan said that since
they have exclusive contracts with their client sites, they feel that they
"must" make available all sorts of ads, subject only to their not being
considered "illegal" according to their research, and with the approval of
the ad categories by the client. He feels that they don't provide
any "content"--even though all the ads are sitting on their servers for
provision to web sites.
I pointed out that, if it were desired, DoubleClick could easily have a
provision in their contracts to let their clients get ads from elsewhere if
DoubleClick didn't want to carry particular types of ads, but by creating
"exclusive" contracts DoubleClick seems to have an excuse for an almost
total lack of discretion in their ad inventory.
I posed a hypothetical to Mr. Ryan that I think goes a long way towards
illustrating the attitudes at work in this situation. I asked if they would
be willing to carry ads from someone selling books or other information on
constructing bombs. He said yes, they would, as long as the information was
considered legal. He added that he didn't believe it likely that any of
DoubleClick's client web sites would be interested in carrying such ads,
however.
But what's striking to me is the seeming lack of any apparent attempt to
introduce even a minimal social conscience to their ad inventory. A good
business policy in the short run? How about in the long run? No matter
what your own feelings may be about such issues, it appears that DoubleClick
is operating completely legally and within their rights. But does such an
attitude play directly into the hands of those who would impose outside
censorship upon the Internet? I'm afraid that's indeed the case.
It would appear that it's up to the users of web sites to express their
displeasure (or approval, if that's their feeling) about the ads they see,
directly to the operators of those sites. Some users might wish to make
it clear that they will choose not to patronize sites which don't attempt to
show at least a degree of ethics in their ad inventories. If users choose
to silently accept whatever flashes forth on their screens, and don't bother
to express their views to the folks making the ad purchase decisions for
those sites, it's unlikely that we'll see any improvement, anytime soon.
--Lauren--
Lauren Weinstein
Moderator, PRIVACY Forum
http://www.vortex.com
------------------------------
Date: Fri, 22 May 1998 22:11:19 +1200
From: "Patrick Dunford" <pdunford@caverock.net.nz>
Subject: NZ to introduce Photo-ID Drivers' Licenses
Legislation was introduced to the New Zealand Parliament in late 1997
which proposes the replacement of the present lifetime licenses with
10-year photo-ID license cards. This legislation received little
publicity or public attention until 21 April when the report of the
Privacy Commissioner, which raised serious concerns about the proposed
cards, was publicised (it was issued more than 6 weeks earlier).
This legislation is of extreme concern because it grants authority
for:
* Police to demand drivers' licenses on demand
* Police to detain drivers for short periods of time in order to
determine their identity
* Use of digitised photographs which are stored in a computer, thus
permitting their distribution to other interested agencies or parties
* Requirement for the holder's date of birth to be displayed on the
card
* The granting to the LTSA of authority to sell proof of ID cards to
any person (not just to licensed drivers).
The Privacy Commissioner in his report stated "The main privacy risks
of the proposal have little to do with driver licensing but much to do
with creating the conditions for a de facto national identification
card...". This impression is heightened particularly by the provision
of the clause buried in Section 161 of the Bill (almost at its end)
which reads:
"(3) The Authority may produce, in a form determined by the Authority,
a proof of identity card for persons who wish to purchase a card." It
is this clause which has raised the Commissioner's hackles because it
allows cards to be issued for purposes that have nothing to do with
drivers' licensing. This appears to be a sneaky move by the Government
to bring in a politically unpopular measure by backdoor means,
particularly when its previous secretive attempts to do so were
revealed in 1991. It is also disturbing that some submissions on the
Land Transport Bill have supported the introduction of the photo-ID on
the basis of the need for an ID card. What need?
ID card proposals are not new in New Zealand. Several governments have
been working on them for at least 11 years. In 1991 a senior public
servant revealed State proposals for the introduction of a national
identity card called the Kiwicard. That proposal was denied by the
then Prime Minister, who was immediately contradicted by his
predecessor and a head of a Government department, both of whom
confirmed the plans had been underway since 1987.
What is, or should be, of serious concern to all New Zealanders is the
secretive, undemocratic way in which the Government has attempted to
introduce this measure. At a time when a massive publicity campaign
and consultation exercise is underway concerning the proposed "Code of
Social and Family Responsibility", this can be seen as a smokescreen
for allowing far more important measures, such as the Land Transport
Bill, the MAI and the OECD's Financial Services Agreement, to be
slipped through with minimal publicity and extremely limited public
awareness of their ramifications. It is a little known fact that the
US Congress slipped through legislation in 1996 which allows that
country's President to impose a national identity system at will.
(This is an extract from a web page at
http:/www.caverock.net.nz/~pdunford/privacy. The site includes links
to the report mentioned in the article and other articles of interest)
=======================================
Patrick Dunford, Christchurch, NZ
Voice: +64 (3) 351 7909, Fax:+64 (3) 351 5087
MailTo:pdunford@caverock.net.nz
Home Page: http://www.caverock.net.nz/~pdunford/
=======================================
------------------------------
Date: Fri, 22 May 1998 10:44:05 -0400
From: w.a.lynn@larc.nasa.gov (William A. Lynn III)
Subject: FAA to remove airmen's mailing addresses from public databases
AvWeb, an e-mail newsletter on aviation topics (www.avweb.com), recently
(5/22/98) broke this shocking news:
"PILOTS, PRIVACY AND POLITICS -- GUESS WHICH WINS?
The FAA ... stunned the alphabet groups..." (referring to various pilot's
and aircraft owners organizations) "...and many aviation businesses with a
decision to reverse its years-long policy of making publicly available the
mailing addresses of U.S.-certificated pilots."
The article goes on to bemoan the fact that "safety may ultimately suffer"
because pilots will no longer receive direct mail solicitation of safety
seminars, etc. A brief poll of several fellow private pilots indicates that
the only safety information we receive in the mail comes from aviation
organizations to which we belong, or directly from the FAA. In aviation,
genuine safety concerns are always valid, but they may, as in this case,
also be a smokescreen for other agendas.
There is also an editorial by the AvWeb editor, where he mentions "The most
obvious immediate casualties of this policy change are the thousands of
aviation associations and businesses that do direct mailings based on the
FAA airman file." I'm heartbroken.
The FAA, from what I understand, is not removing the existing address data
from public access unless one specifically requests it. What thay are doing
is not automatically adding new or updated addresses.
But, to answer the original question: Guess which wins? Pilots who value
their privacy.
Bill Lynn
------------------------------
Date: Wed, 10 Jun 1998 21:24:57 -0700 (PDT)
From: Phil Agre <pagre@weber.ucsd.edu>
Subject: financial privacy
In a front-page article in the 6/11/98 Washington Post "Hot High-Tech
Trade: Your Financial Facts; Sales of Confidential Data Raise Concerns"),
Robert O'Harrow Jr. describes businesses that advertise their ability to
obtain personal financial information such as account balances and stock
portfolios by making false or misleading "pretext calls" to the banks and
brokerage companies that control the information. This is evidently legal
in some states, though law enforcement officials are quoted claiming that
it is illegal in other states. Jim Leach (R-Iowa), chairman of the House
Banking Committee, plans to hold hearings.
This article is just one more illustration of a big fact: the traffic in
personal information in the United States has grown to monstrous proportion.
Because the victims of this practice are unlikely to learn that they have
been violated, and the firms whose "security" has been breached may never
realize that they have been deceived, market competition is not likely
to repair the problem. This kind of invasion -- the simple unauthorized
disclosure of personal financial information, with or without any proof
of harm -- should be both illegal and a cause of action for a lawsuit.
Phil Agre
------------------------------
Date: Tue, 9 Jun 1998 12:43:50 -0500 (CDT)
From: Carl Jester <jesterc@cmg.FCNBD.COM>
Subject: Inmates process vehicle records
Today's (June 9, 1998) Chicago Sun-Times has a cover story entitled "State
uses inmates to process vehicle records."
According to the article, maximum security prisoners at Joliet
update all the vechicle registration data.
This little-known arrangement surprised law enforcement
groups, crime victim organizations, and at lease one
legislator. And many wondered whether criminals should
have access to personal data of millions of Illinois
residents, including such celebrities as Michael Jordan
and Oprah Winfrey.
Personally, I'd be more worried about abused spouses who have
moved, cops, prosecutors, and judges who helped arrest and
convict them, etc.
There is no evidence that any convit has used the
data to commit a crime or smuggled it out of prison
to someone else, state officials said.
So, let's wait until somebody really gets hurt?
"We've always said we will keep the information from
getting out, and we've done that," said Brian Fairchild,
a prison spokesman. "The other aspect is what would an
inmate do with the information?"
1. How do they know they've been successful? Simply because
they have never connected it to a crime? I suppose ignorance
is bliss. 2. What would they do with it? I can think of lots
of things to do with it, including fraud and revenge.
Ryan [the IL secretary of state - cj] also has moved
to restrict companies from using vehicle and driver's
records to send junk mail, but his spokeswoman Cathy
Ritter said those efforts exclude prisoners because
"there is no opportunity for any of these records
to be used in a mass mailing."
Surely the fraud and revenge I imagined above is worse than
any junk mail.
"If there was a serious public concern, we would
re-evaluate the program, but there's never been a
public concern in nearly 13 years," she said.
["she" is presumably Cathy Ritter - cj]
Surely there was never public concern because there was never
public knowledge.
"These (convict) come under far greater supervision
than any state employee would," Ritter said.
"They are searched on the way in, and they're
searched on the way out" of the prison computer room,
she said. "They have no access to paper or pens or
pencils. they have no ability to take any kind
of notes."
Convicts are "processing hundreds of these on
any given shift," Ritter said, so it is doubtful
they could memorize names and addresses from the
data.
OK, they're supervised. OK, it's unlikely that they'll
memorize hundreds of addresses so they can do a mass
mailing. But I wouldn't bet my life that they couldn't
memorize the home address and current car of the
judge who passed sentance, or the cop who arrested
them, etc. These people didn't end up in maximum
security for spamming.
The Sun-Times also notes that prisoners in Kentucky handle
unemployment data, and Minnesota uses them for vehicle data.
There is also a note about prisoners being used in manufacturing,
which completely fails to bother me, although using inmates
in retail call centers is troublesome (TWA and Swiss Colony
are cited as examples).
The motivation is, naturally, money. The inmates cost the
state 16 cents per record, while having state employees
handle it would cost 27 cents per record.
Illinois prison officials have sought data entry
work for state tax returns, but they have been
rejected "three or four times," said Michael
Klemens, spokesman for the Illinois Department
of Revenue.
A prison spokesman responds that:
"It's probably better that we do it than the private
sector," Fairchild said. "And we also do it cheaper.
It keeps these guys busy. . . .At the same time, we're
not going to compromise anybody's personal security
or privacy."
The whole article is also currently available on the web at:
http://www.suntimes.com/output/home/data09.htm
------------------------------
Date: Fri, 29 May 1998 15:19:20 PST
From: "JERRY KANG" <kang@law.ucla.edu>
Subject: Article available: Information Privacy in Cyberspace Transactions
An article entitled "Information Privacy in Cyberspace Transactions"
will appear shortly in 50 Stan. L.R. 1193 (1998). An Acrobat PDF
copy is available at my web site (URL in my signature block). Any
reactions are welcome. An abstract follows:
---------------------------------------
Cyberspace is the rapidly growing network of computing and
communication technologies that have profoundly altered our lives. We
already carry out myriad social, economic, and political transactions
through cyberspace, and, as the technology improves, so will their
quality and quantity. But the very technology that enables these
transactions also makes detailed, cumulative, invisible observation of
our selves possible. The potential for wide-ranging surveillance of
all our cyber-activities presents a serious threat to information
privacy.
To help readers grasp the nature of this threat, Professor
Jerry Kang starts with a general primer on cyberspace privacy. He
provides a clarifying structure of philosophical and technological
terms, descriptions, and concepts that will help analyze any problem
at the nexus of privacy and computing-communication technologies.
In the second half of the article, he focuses sharply on the specific
problem of personal data generated in cyberspace transactions. The
private sector seeks to exploit this data commercially, primarily
for database marketing, but many individuals resist. The dominant
approach to solving this problem is to view personal information as
a commodity that interested parties should contract for in the course
of negotiating a cyberspace transaction. But this approach has so
far failed to address a critical question: Which default rules
should govern the flow of personal information when parties do not
explicitly contract about privacy? On economic efficiency and human
dignity grounds, Professor Kang argues in favor of a default rule
that allows only "functionally necessary" processing of personal
information unless the parties expressly agree otherwise. The
article concludes with a proposed statute, entitled the Cyberspace
Privacy Act, which translates academic theory into legislative
practice
***************************************************
Privacy Alert: Do not forward without permission.
***************************************************
Jerry Kang, Acting Professor
UCLA School of Law, Box 951476
Los Angeles, CA 90095-1476
(overnight mail street address: 405 Hilgard Ave.)
Voice: 310.206.7298 Fax: 7010
mailto:kang@law.ucla.eduhttp://www.law.ucla.edu/faculty/kang
------------------------------
Date: Thu, 04 Jun 1998 12:51:41 -0700
From: Beth Givens <bgivens@privacyrights.org>
Subject: New Guide on Children's Online Privacy
New Guide Alerts Parents to Internet Privacy Perils for Children
Contact: Beth Givens, Privacy Rights Clearinghouse
E-mail: prc@privacyrights.org Phone: (619) 298-3396
Web: www.privacyrights.org (Fact Sheet 21)
It's 10 p.m. Do you know where your children are? In many households,
they're surfing the Web. A new consumer guide by the Privacy Rights
Clearinghouse, "Children in Cyberspace: A Privacy Resource Guide," (12
pages) offers numerous tips for parents, their children, and policymakers
on safeguarding children's privacy while online. The guide lists many Web
sites to visit, reports to read, and the names of nonprofit organizations
and government agencies that are working on children's privacy issues. It
is available on the PRC's web site, www.privacyrights.org/. Look for Fact
Sheet 21.
Privacy Rights Clearinghouse
1717 Kettner Ave. Suite 105
San Diego, CA 92101
Voice: 619-298-3396
Fax: 619-298-5681
bgivens@privacyrights.orghttp://www.privacyrights.org
------------------------------
Date: Mon, 25 May 1998 16:39:03 -0400
From: John Meola <jmeola@MCIONE.com>
Subject: Local police conduct drug sweep of college dorm
Our local paper (Akron Beacon Journal) reported yesterday (May 24) that
off-campus drug police using drug-sniffing dogs conducted a mass search of
an Ohio State University branch campus Wooster, Ohio. The search included
all dorm rooms and student vehicles. It was conducted at 8:30pm on Thursday,
May 21.
Charges ranging from possession of marijuana to underage possession of
alcohol were forwarded to the Wayne County, Ohio, prosecutor for possible
arrest and prosecution. School disciplinary action is pending against the
students found with narcotics or alcohol in their dorms or cars.
Greg Ferrell, the campus police chief, was quoted as saying: "With our
recent increase in residential housing on the Wooster campus, we want to use
all the resources at our disposal to keep illegal drugs out."
He then followed this up with: "I believe the majority of the campus
community appreciates and supports these efforts." (Emphasis added)
Only those who have no regard for the sanctity of their residence, personal
privacy, and dignity would "appreciate and support" such an effort.
Unfortunately, the US Supreme Court has held that searches of students'
lockers and cars is constitutional. However, there is one major element of
this case that distinguishes it from court decisions dealing with student
privacy: the age of the students. As I understand it, the courts have come
down on the side of the schools in student-search cases, but those cases
involved students who were not of majority age and, thus, might be thought
to have a more limited set of rights than an adult.
However, these are grown adults who have entered into a contractual
relationship with OSU's housing department for dorm rooms during their
studies. In these contracts is a provision allowing the school to conduct a
search of student dormitories, but only when there is probable cause that a
law or school policy has been broken and only after providing a 24 hour
notice of the search. As a state institution, OSU is bound by the Ohio and
US constitutions, both of which have provisions limiting mass, warantless
searches of residences absent probable cause.
Any civil liberties attorneys out there who can shed more light on this?
Could the students facing charges raise illegal search as a possible
defense?
John Meola
------------------------------
Date: Sun, 24 May 1998 18:26:43 -0400
From: Dennis Melamed <blt2go@erols.com>
Subject: Health Information Privacy Alert - May digest
HEALTH INFORMATION PRIVACY ALERT
May 1998 Digest
EUROPEAN PRIVACY DIRECTIVE TAKES DEBATE OUT OF THE REALM OF THE PRIVATE
The House International Relations Committee sees the European Union's
Privacy Directive as a nontariff barrier to trade, but acknowledges that
the U.S. must address the issue. Drug companies and others who handle
medical records fear that if the E.U. decides the U.S. does not provide
adequate privacy in this sector, it will prohibit the swapping of data.
The danger may not be imminent regardless of the Oct. 1998 deadline, the
Commerce Department told Congress. Many E.U. members have not enacted
the required legislation, thus making enforcement against third
countries more difficult.
NEW HOUSE BILL REVERSES PRESUMPTION ON PATIENT CONSENT
The House of Representatives showed signs of life in the medical records
confidentiality debate. Rep. Christopher Shays (R-Conn.) introduced a
provocative proposal which attempts to identify prohibited uses of
protected health information and then carve out exceptions to those
prohibitions to health care services can be provided and paid for
without the need for individual authorizations. The House Government
Reform & Oversight Committee held a hearing in May to examine the
proposal, which was received favorably by business groups. However, some
groups noted that unless better clarity in what and what was not
allowed, health care providers would still seek patient authorizations
out of fear of the strong sanctions in the bill.
HEALTH CARE LAGS IN ELECTRONIC COMMERCE
Electronic commerce will grow at an explosive rate within two years,
according to a Deloitte & Touche Consulting Group survey of chief
information officers. Health care will not be leading the charge,
however. Customer electronic transactions in the health care sector
today stand at 6.1% and are predicted to rise to 33.3% in two years. But
the survey showed that this lags well behind other industries, such as
financial services. Statistical Svengalis will note that this means a
546% increase for the health care sector.
CONGRESS URGED TO CLOSE HIPAA LOOPHOLE ON GENETICS
Fear of discrimination by insurers based on genetic testing prompted
Congress to include a ban on using that information for group coverage
under the Health Insurance Portability and Accountability Act, but such
prohibitions were not placed on the individual market. This market now
is of particular concern to Sen. James Jeffords (R-Vt.), chairman of the
Senate Labor & Human Resources Committee. In a May 21 hearing, Jeffords
said an upcoming General Accounting Office report will show Americans
aged 55-65 will increasingly rely on the individual market.
States are not providing adequate protection either as up to 125 million
people fall under ERISA plans, which are pre-empted by federal law, the
National Breast Cancer Coalition said. Without a fix, research will
suffer as well as people will be afraid of the data finding its way to
employers and insurers.
PHARMACISTS IRATE OVER CVS SUIT
Pharmacists have been fuming over the criticism they have received
because of the CVS-Elensys-Glaxo Wellcome controversy. Pharmacy groups
say the reproofs have been unjustified because the customer data was
sold by the owners of the pharmacies, not by the practicing
professionals behind the counter.
PATIENT CONSENT LAWS THREATEN RETROSPECTIVE RESEARCH
The Mayo Clinic warned that retrospective research is being threatened
by state patient consent laws. A researcher told Congress that
frequently there is no way to statistical adjust for individuals who
refuse authorization for use of their medical records.
Health Information Privacy Alert is an independent monthly business
newsletter. For subscription information, send a message to
HIPAlert@aol.com. Due to the sensitivity to spam, please specify that
you wish to receive information via e-mail. If you wish to receive a
sample issue, e-mail your mailing address.
------------------------------
Date: Tue, 23 Jun 1998 00:43:24 -0400
From: Monty Solomon <monty@roscom.COM>
Subject: ACLU Condemns Mandatory Blocking Software in Public Libraries
Excerpt from ACLU News 06-19-98
New ACLU Report Condemns Mandatory
Blocking Software in Public Libraries
FOR IMMEDIATE RELEASE
Wednesday, June 17, 1998
NEW YORK -- In a 17-page white paper released today, the American Civil
Liberties Union said that the mandatory use of Internet blocking
software in libraries is inappropriate and unconstitutional.
The new report, Censorship in a Box: Why Blocking Software is Wrong for
Public Libraries, continues a line of argument the ACLU first made in a
well-received 1997 report and furthers its critique of industry plans to
adopt blocking mechanisms and expand them to libraries and schools. The
report comes as more and more librarians are being pressured to install
the software on library terminals to prevent minors from accessing
objectionable materials.
But the ACLU said mandatory blocking is not the solution. "Blocking
software is clumsy and ineffective," said Ann Beeson, an ACLU national
staff attorney who co-wrote the report. "It censors valuable speech and
gives parents and educators a false sense of security about what their
children are encountering online."
Beeson added that while the ACLU supports parents' right to using the
software in the home, they warn that no product can effectively screen
the vast content of the web, and many companies block sites for
ideological reasons that parents may not agree with.
The report also criticized a plan to condition Internet funding for
schools on the use of blocking software. The "Internet School Filtering
Act," introduced by Sen. John McCain (R-AZ), is also supported by lead
Democratic sponsors Sen. Patty Murray of Washington, home to Microsoft,
and Sen. Dianne Feinstein of California, home to Silicon Valley.p> In a
letter sent with the report to the Senate, the ACLU is urging Senators
not to support the bill when it comes up for a vote. "We believe that
educators, not Congress, should be the ones making decisions about what
students can learn on the Internet," said Laura W. Murphy, Director of
the ACLU's Washington National Office.
Today's report follows up an August 1997 ACLU white paper, Fahrenheit
451.2: Is Cyberspace Burning?, which offered guidelines for Internet
Service Providers and other industry groups contemplating ratings
schemes.
Similarly, Censorship in a Box proposes five guidelines for libraries
and schools looking for alternatives to clumsy and ineffective blocking
software:
-- Acceptable Use Policies. Provide carefully worded instructions for
parents, teachers, students and libraries on use of the Internet.
-- Time Limits. Establish content-neutral time limits on use of the
Internet; request that Internet access in schools be limited to
school-related work.
-- "Driver's Ed" for Internet Users. Condition Internet access for
minors
on completion of a Internet seminar similar to a driver's education
course.
-- Recommended Reading. Publicize and provide link to websites
recommended
for children and teens.
-- Privacy Screens. Install screens to protect users' privacy when
viewing
sensitive information and avoid unwanted viewing of websites by
passers-by.
The report also includes a two-page "Q&A" on blocking software and
examples of sites that have been blocked by various products. The ACLU
emphasized that it did not seek to evaluate any particular product, but
rather demonstrate how all blocking software censors speech based on
subjective views about what is offensive.
Recently, the American Family Association, a conservative religious
group, learned this lesson when it found that CyberPatrol, a popular
brand of blocking software, had placed AFA on its "Cybernot" list
because of the group is considered "intolerant" of homosexuality.
"Clearly, the answer to blocking based on ideological viewpoint is not
more blocking, any more than the answer to unpopular speech is to
prevent everyone from speaking, because then no viewpoint of any kind
will be heard," the ACLU's Beeson said.
The principal authors of Censorship in a Box are Ann Beeson, ACLU
National Staff Attorney and Emily Whitfield, Deputy Media Relations
Director of the National ACLU.
Censorship in a Box can be found online at
http://www.aclu.org/issues/cyber/box.html.
------------------------------
Date: Thu, 28 May 1998 00:11:31 -0400
From: Monty Solomon <monty@roscom.COM>
Subject: ACLU Says New Medical Privacy Legislation Falls Short
Excerpt from ACLU News 05-27-98
ACLU Says New Medical Privacy Legislation Falls Short
FOR IMMEDIATE RELEASE
Tuesday, May 19, 1998
WASHINGTON -- The American Civil Liberties Union expressed
disappointment today with the latest medical privacy legislation under
consideration by the House.
The Government Management, Information and Technology Subcommittee of
the House Government Reform and Oversight Committee convened today to
examine a proposal by Representative Chris Shays (R-CT) intended to
protect patient privacy.
The ACLU had offered substantive recommendations to Representative Shays
regarding the bill, but said this newest legislation still falls short
of protecting patients' privacy.
"Like most Americans, the ACLU strongly believes that a patient's
medical records should not be disclosed to anyone, unless the patient
provides specific written informed consent," said Solange Bitol, a
Legislative Counsel for the ACLU.
"Sadly, the Shays legislation does not give Americans the peace of mind
that when we confide in our doctors about extremely private matters, our
records will remain protected from prying eyes," Bitol said.
The bill would wipe out existing state laws that are more protective of
patients' rights, setting a cap on the privacy protections available to
patient, according to an analysis by the ACLU of Massachusetts, which
has been deeply involved in the medical privacy issue. Equally
troubling, the bill allows disclosure of patients' medical records to a
host of government and non-government agencies without the patient's
knowledge or consent.
"While the ACLU has serious concerns with the legislation, we would
welcome the opportunity to continue working with Representative Shays
and the Committee on revising the bill so that it truly upholds the
standards of patient confidentiality that are integral to protecting
Americans' privacy and health," Bitol said.
The ACLU identified additional major problems in the Shays bill,
including:
The section on Law Enforcement access to patients' medical records is
unclear and over broad. The evolving national network of medical records
databases must not become a law enforcement data base.
The bill places virtually no restrictions on disclosures within health
care entities (no matter how large or geographically widespread).
The bill exempts certain research-related medical records from any
privacy protections. It creates a new category of "Archival Research,"
which allows researchers, without patient consent, to access patients'
medical records. These records could be obtained from employers, health
care providers, health plans, public health authorities, health
insurers, life insurers, schools and universities. The current standard
of researchers seeking approval from the Institutional Review Board of
the hospital holding patient records is undermined -- only a "committee"
or other "group" review would be needed.
The bill's use of the term "Anonymized" is extremely misleading. In
actuality, this information would be Pseudo-Anonymized. It would
contain, in encrypted or encoded form, individual patient identification
information.
The so-called "Anonymized" Information is exempted from any of the
bill's privacy protections, opening the door to potential misuse of this
information by unsuitable parties.
------------------------------
Date: Tue, 23 Jun 1998 14:37:59 -0400
From: John Young <jya@pipeline.com>
Subject: NSA Declassifies Algos
DoD Press Release, June 23, 1998:
No. 316-78
IMMEDIATE RELEASE
June 23, 1998
(703)695-0192(media)
(703)697-5737(public/industry)
ENCRYPTION FORMULAS DECLASSIFIED
The Department of Defense today announced the decision by the
National Security Agency to declassify both the Key Exchange
Algorithm and the SKIPJACK encryption algorithm used in the
FORTEZZA(tm) personal computer card. FORTEZZA(tm) provides
security at the desktop in the Defense Message System and other
DoD applications. This marks the first time that the NSA has
declassified such information and made it commercially available.
This declassification is an essential part of the Department of
Defense's efforts to work with commercial industry in developing
reasonably priced computer protection products. This
declassification decision will enable industry to develop software
and smartcard based security products, which are interoperable
with FORTEZZA(tm). The availability of such products will enhance
the protection of DoD's sensitive but unclassified and critical
non-mission communications.
The decision to release SKIPJACK (an 80 bit encryption algorithm
that is not extensible to higher key lengths) and KEA (a 1024 bit
key exchange algorithm) is restricted to these particular
algorithms, and does not apply to other classified NSA algorithms.
The SKIPJACK and KEA algorithms and their source codes have been
declassified pursuant to Executive Order 12958.
Vendors interested in obtaining more information on this matter
should contact the National Security Agency Public Affairs Office
at 301-688-6524.
[End]
------------------------------
End of PRIVACY Forum Digest 07.11
************************